The ability to identify mobile apps in network traffic has significant implications in many domains, including traffic management, malware detection, and maintaining user privacy. App identification methods in the literature typically use deep packet inspection (DPI) and analyze HTTP headers to extract app fingerprints. However, these methods cannot be used if HTTP traffic is encrypted. We investigate whether Android apps can be identified from their launch-time network traffic using only TCP/IP headers. We first capture network traffic of 86,109 app launches by repeatedly running 1,595 apps on 4 distinct Android devices. We then use supervised learning methods used previously in the web page identification literature, to identify the apps that generated the traffic. We find that: (i) popular Android apps can be identified with 88% accuracy, by using the packet sizes of the first 64 packets they generate, when the learning methods are trained and tested on the data collected from same device; (ii) when the data from an unseen device (but similar operating system/vendor) is used for testing, the apps can be identified with 67% accuracy; (iii) the app identification accuracy does not drop significantly even if the training data are stale by several days, and (iv) the accuracy does drop quite significantly if the operating system/vendor is very different. We discuss the implications of our findings as well as open issues.
{"title":"Can Android Applications Be Identified Using Only TCP/IP Headers of Their Launch Time Traffic?","authors":"Hasan Faik Alan, J. Kaur","doi":"10.1145/2939918.2939929","DOIUrl":"https://doi.org/10.1145/2939918.2939929","url":null,"abstract":"The ability to identify mobile apps in network traffic has significant implications in many domains, including traffic management, malware detection, and maintaining user privacy. App identification methods in the literature typically use deep packet inspection (DPI) and analyze HTTP headers to extract app fingerprints. However, these methods cannot be used if HTTP traffic is encrypted. We investigate whether Android apps can be identified from their launch-time network traffic using only TCP/IP headers. We first capture network traffic of 86,109 app launches by repeatedly running 1,595 apps on 4 distinct Android devices. We then use supervised learning methods used previously in the web page identification literature, to identify the apps that generated the traffic. We find that: (i) popular Android apps can be identified with 88% accuracy, by using the packet sizes of the first 64 packets they generate, when the learning methods are trained and tested on the data collected from same device; (ii) when the data from an unseen device (but similar operating system/vendor) is used for testing, the apps can be identified with 67% accuracy; (iii) the app identification accuracy does not drop significantly even if the training data are stale by several days, and (iv) the accuracy does drop quite significantly if the operating system/vendor is very different. We discuss the implications of our findings as well as open issues.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123245904","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Bradley Reaves, Logan Blue, D. Tian, Patrick Traynor, Kevin R. B. Butler
Text messaging is used by more people around the world than any other communications technology. As such, it presents a desirable medium for spammers. While this problem has been studied by many researchers over the years, the recent increase in legitimate bulk traffic (e.g., account verification, 2FA, etc.) has dramatically changed the mix of traffic seen in this space, reducing the effectiveness of previous spam classification efforts. This paper demonstrates the performance degradation of those detectors when used on a large-scale corpus of text messages containing both bulk and spam messages. Against our labeled dataset of text messages collected over 14 months, the precision and recall of past classifiers fall to 23.8% and 61.3% respectively. However, using our classification techniques and labeled clusters, precision and recall rise to 100% and 96.8%. We not only show that our collected dataset helps to correct many of the overtraining errors seen in previous studies, but also present insights into a number of current SMS spam campaigns.
{"title":"Detecting SMS Spam in the Age of Legitimate Bulk Messaging","authors":"Bradley Reaves, Logan Blue, D. Tian, Patrick Traynor, Kevin R. B. Butler","doi":"10.1145/2939918.2939937","DOIUrl":"https://doi.org/10.1145/2939918.2939937","url":null,"abstract":"Text messaging is used by more people around the world than any other communications technology. As such, it presents a desirable medium for spammers. While this problem has been studied by many researchers over the years, the recent increase in legitimate bulk traffic (e.g., account verification, 2FA, etc.) has dramatically changed the mix of traffic seen in this space, reducing the effectiveness of previous spam classification efforts. This paper demonstrates the performance degradation of those detectors when used on a large-scale corpus of text messages containing both bulk and spam messages. Against our labeled dataset of text messages collected over 14 months, the precision and recall of past classifiers fall to 23.8% and 61.3% respectively. However, using our classification techniques and labeled clusters, precision and recall rise to 100% and 96.8%. We not only show that our collected dataset helps to correct many of the overtraining errors seen in previous studies, but also present insights into a number of current SMS spam campaigns.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115253528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
IEEE 802.15.4 is widely used as lower layers for not only wellknown wireless communication standards such as ZigBee, 6LoWPAN, and WirelessHART, but also customized protocols developed by manufacturers, particularly for various Internet of Things (IoT) devices. Customized protocols are not usually publicly disclosed nor standardized. Moreover, unlike textual protocols (e.g., HTTP, SMTP, POP3.), customized protocols for IoT devices provide no clues such as strings or keywords that are useful for analysis. Instead, they use bits or bytes to represent header and body information in order to save power and bandwidth. On the other hand, they often do not employ encryption, fragmentation, or authentication to save cost and effort in implementations. In other words, their security relies only on the confidentiality of the protocol itself. In this paper, we introduce a novel methodology to analyze and reconstruct unknown wireless customized protocols over IEEE 802.15.4. Based on this methodology, we develop an automatic analysis and spoofing tool called WPAN automatic spoofer (WASp) that can be used to understand and reconstruct customized protocols to byte-level accuracy, and to generate packets that can be used for verification of analysis results or spoofing attacks. The methodology consists of four phases: packet collection, packet grouping, protocol analysis, and packet generation. Except for the packet collection step, all steps are fully automated. Although the use of customized protocols is also unknown before the collecting phase, we choose two real-world target systems for evaluation: the smart plug system and platform screen door (PSD) to evaluate our methodology and WASp. In the evaluation, 7,299 and 217 packets are used as datasets for both target systems, respectively. As a result, on average, WASp is found to reduce entropy of legitimate message space by 93.77% and 88.11% for customized protocols used in smart plug and PSD systems, respectively. In addition, on average, 48.19% of automatically generated packets are successfully spoofed for the first target systems.
{"title":"Dissecting Customized Protocols: Automatic Analysis for Customized Protocols based on IEEE 802.15.4","authors":"Kibum Choi, Yunmok Son, Juhwan Noh, Hocheol Shin, Jaeyeong Choi, Yongdae Kim","doi":"10.1145/2939918.2939921","DOIUrl":"https://doi.org/10.1145/2939918.2939921","url":null,"abstract":"IEEE 802.15.4 is widely used as lower layers for not only wellknown wireless communication standards such as ZigBee, 6LoWPAN, and WirelessHART, but also customized protocols developed by manufacturers, particularly for various Internet of Things (IoT) devices. Customized protocols are not usually publicly disclosed nor standardized. Moreover, unlike textual protocols (e.g., HTTP, SMTP, POP3.), customized protocols for IoT devices provide no clues such as strings or keywords that are useful for analysis. Instead, they use bits or bytes to represent header and body information in order to save power and bandwidth. On the other hand, they often do not employ encryption, fragmentation, or authentication to save cost and effort in implementations. In other words, their security relies only on the confidentiality of the protocol itself. In this paper, we introduce a novel methodology to analyze and reconstruct unknown wireless customized protocols over IEEE 802.15.4. Based on this methodology, we develop an automatic analysis and spoofing tool called WPAN automatic spoofer (WASp) that can be used to understand and reconstruct customized protocols to byte-level accuracy, and to generate packets that can be used for verification of analysis results or spoofing attacks. The methodology consists of four phases: packet collection, packet grouping, protocol analysis, and packet generation. Except for the packet collection step, all steps are fully automated. Although the use of customized protocols is also unknown before the collecting phase, we choose two real-world target systems for evaluation: the smart plug system and platform screen door (PSD) to evaluate our methodology and WASp. In the evaluation, 7,299 and 217 packets are used as datasets for both target systems, respectively. As a result, on average, WASp is found to reduce entropy of legitimate message space by 93.77% and 88.11% for customized protocols used in smart plug and PSD systems, respectively. In addition, on average, 48.19% of automatically generated packets are successfully spoofed for the first target systems.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131149193","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This poster presents work-in-progress in the field of usable security. The usability of security mechanisms is crucial to avoid unintended misuse of security mechanisms which lowers the security level of a system. It is the goal of the work presented in this poster to identify security design patterns with good usability. Requirements for security design patterns with good usability stem from existing usable security design guidelines. A collection of security usability failures is presented as well as examples of how misuse anti-patterns can be derived from these failures. Misuse cases will be used in future work to identify security design patterns with good usability.
{"title":"POSTER: Security Design Patterns With Good Usability","authors":"H. Hof, Gudrun Socher","doi":"10.1145/2939918.2942423","DOIUrl":"https://doi.org/10.1145/2939918.2942423","url":null,"abstract":"This poster presents work-in-progress in the field of usable security. The usability of security mechanisms is crucial to avoid unintended misuse of security mechanisms which lowers the security level of a system. It is the goal of the work presented in this poster to identify security design patterns with good usability. Requirements for security design patterns with good usability stem from existing usable security design guidelines. A collection of security usability failures is presented as well as examples of how misuse anti-patterns can be derived from these failures. Misuse cases will be used in future work to identify security design patterns with good usability.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125008233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Dynamic analysis technique has been widely used in Android malware detection. Previous works on evading dynamic analysis focus on discovering the fingerprints of emulators. However, such method has been challenged since the introduction of real devices in recent works. In this paper, we propose a new approach to evade automated runtime analysis through detecting programmed interactions. This approach, in essence, tries to tell the identity of the current app controller (human user or automated exploration tool), by finding intrinsic differences between human user and machine tester in interaction patterns. The effectiveness of our approach has been demonstrated through evaluation against 11 real-world online dynamic analysis services.
{"title":"Evading Android Runtime Analysis Through Detecting Programmed Interactions","authors":"Wenrui Diao, Xiangyu Liu, Zhou Li, Kehuan Zhang","doi":"10.1145/2939918.2939926","DOIUrl":"https://doi.org/10.1145/2939918.2939926","url":null,"abstract":"Dynamic analysis technique has been widely used in Android malware detection. Previous works on evading dynamic analysis focus on discovering the fingerprints of emulators. However, such method has been challenged since the introduction of real devices in recent works. In this paper, we propose a new approach to evade automated runtime analysis through detecting programmed interactions. This approach, in essence, tries to tell the identity of the current app controller (human user or automated exploration tool), by finding intrinsic differences between human user and machine tester in interaction patterns. The effectiveness of our approach has been demonstrated through evaluation against 11 real-world online dynamic analysis services.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122519564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recent research shows that it is possible to infer a user's touchscreen inputs (e.g., passwords) on Android devices based on inertial (motion/position) sensors, currently freely-accessible by any Android app. Given the high accuracies of such touchstroke logging attacks, they are now considered a significant threat to user privacy. Consequently, the security community has started exploring defenses to such side channel attacks, but the suggested solutions are either not effective (e.g., those based on vibrational noise) and/or may significantly undermine system usability (e.g., those based on keyboard layout randomization). In this paper, we introduce a novel and practical defense to motion-based touchstroke leakage based on system-generated, fully automated and user-oblivious sensory noise. Our defense leverages a recently developed framework, SMASheD, that takes advantage of the Android's ADB functionality and can programmatically inject noise to various inertial sensors. Although SMASheD was originally advertised as a malicious app by its authors, we use it to build a defense mechanism, called Slogger ("Smashing the logger"), for defeating sensor-based touchstroke logging attacks. Slogger transparently inserts noisy sensor readings in the background as the user provides sensitive touchscreen input (e.g., password, PIN or credit card info) in order to obfuscate the original sensor readings. It can be installed in the user space without the need to root the device and to change the device's OS or kernel. Our contributions are three-fold. First, we introduce Slogger, identifying a novel, benign use case of SMASheD that can defeat touchstroke logging attacks. Second, we design and implement the Slogger app system that can be used to protect sensitive touchscreen input from leaking away. Third, we comprehensively evaluate Slogger against state-of-the-art touchstroke detection and inference attacks. Our results show that Slogger can significantly reduce the level of touchstroke leakage to the extent these attacks may become unworkable in practice, without affecting other benign apps. We also show that the leakage can be minimized even when attacks utilize a fusion of multiple motion-position sensors.
最近的研究表明,根据惯性(运动/位置)传感器,可以推断出用户在Android设备上的触摸屏输入(例如密码),目前任何Android应用程序都可以自由访问。鉴于这种触控日志攻击的高精度,它们现在被认为是对用户隐私的重大威胁。因此,安全社区已经开始探索对此类侧信道攻击的防御,但建议的解决方案要么无效(例如,基于振动噪声的解决方案),要么可能显著破坏系统可用性(例如,基于键盘布局随机化的解决方案)。在本文中,我们介绍了一种新颖实用的基于系统生成、全自动和用户无关的感知噪声的基于运动的触控泄漏防御方法。我们的防御利用了最近开发的框架,该框架利用了Android的ADB功能,可以通过编程向各种惯性传感器注入噪声。尽管smash最初被其作者宣传为恶意应用程序,但我们使用它来构建一个名为Slogger(“Smashing the logger”)的防御机制,以击败基于传感器的触控日志攻击。Slogger透明地在后台插入噪声传感器读数,因为用户提供敏感的触摸屏输入(例如,密码,PIN或信用卡信息),以混淆原始传感器读数。它可以安装在用户空间中,而不需要对设备进行root操作,也不需要更改设备的操作系统或内核。我们的贡献有三方面。首先,我们介绍Slogger,确定了一个新的、良性的用例,可以击败触控日志攻击。其次,我们设计并实现了Slogger应用程序系统,可以用来保护敏感的触摸屏输入不泄漏。第三,我们全面评估了Slogger对最先进的触碰检测和推理攻击的能力。我们的研究结果表明,Slogger可以显著降低触控泄漏的程度,使这些攻击在实践中变得不可行的程度,而不会影响其他良性应用程序。我们还表明,即使攻击利用多个运动位置传感器的融合,泄漏也可以最小化。
{"title":"Slogger: Smashing Motion-based Touchstroke Logging with Transparent System Noise","authors":"Prakash Shrestha, Manar Mohamed, Nitesh Saxena","doi":"10.1145/2939918.2939924","DOIUrl":"https://doi.org/10.1145/2939918.2939924","url":null,"abstract":"Recent research shows that it is possible to infer a user's touchscreen inputs (e.g., passwords) on Android devices based on inertial (motion/position) sensors, currently freely-accessible by any Android app. Given the high accuracies of such touchstroke logging attacks, they are now considered a significant threat to user privacy. Consequently, the security community has started exploring defenses to such side channel attacks, but the suggested solutions are either not effective (e.g., those based on vibrational noise) and/or may significantly undermine system usability (e.g., those based on keyboard layout randomization). In this paper, we introduce a novel and practical defense to motion-based touchstroke leakage based on system-generated, fully automated and user-oblivious sensory noise. Our defense leverages a recently developed framework, SMASheD, that takes advantage of the Android's ADB functionality and can programmatically inject noise to various inertial sensors. Although SMASheD was originally advertised as a malicious app by its authors, we use it to build a defense mechanism, called Slogger (\"Smashing the logger\"), for defeating sensor-based touchstroke logging attacks. Slogger transparently inserts noisy sensor readings in the background as the user provides sensitive touchscreen input (e.g., password, PIN or credit card info) in order to obfuscate the original sensor readings. It can be installed in the user space without the need to root the device and to change the device's OS or kernel. Our contributions are three-fold. First, we introduce Slogger, identifying a novel, benign use case of SMASheD that can defeat touchstroke logging attacks. Second, we design and implement the Slogger app system that can be used to protect sensitive touchscreen input from leaking away. Third, we comprehensively evaluate Slogger against state-of-the-art touchstroke detection and inference attacks. Our results show that Slogger can significantly reduce the level of touchstroke leakage to the extent these attacks may become unworkable in practice, without affecting other benign apps. We also show that the leakage can be minimized even when attacks utilize a fusion of multiple motion-position sensors.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132354404","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
FPGA devices are increasingly deployed in wireless and heterogeneous networks in-field due to their re-programmable nature and high performance. Modern FPGA devices can have part of their logic partially reconfigured during runtime operation, which we propose to exploit to realize a general-purpose, flexible and reconfigurable DPA countermeasure that can be integrated into any FPGA-based system, irrespective of the cryptographic algorithm or implementation. We propose a real-time dynamic closed-loop on-chip noise generation countermeasure which consists of an on-chip power monitor coupled with a low-overhead Gaussian noise generator. The noise generator is reconfigured continuously to update its generated noise amplitude and variance so that is sufficiently hides the computation power consumption. Our scheme and its integration onto an SoC is presented as well as our proposal for evaluating its effectiveness and overhead.
{"title":"POSTER: Exploiting Dynamic Partial Reconfiguration for Improved Resistance Against Power Analysis Attacks on FPGAs","authors":"Ghada Dessouky, A. Sadeghi","doi":"10.1145/2939918.2942426","DOIUrl":"https://doi.org/10.1145/2939918.2942426","url":null,"abstract":"FPGA devices are increasingly deployed in wireless and heterogeneous networks in-field due to their re-programmable nature and high performance. Modern FPGA devices can have part of their logic partially reconfigured during runtime operation, which we propose to exploit to realize a general-purpose, flexible and reconfigurable DPA countermeasure that can be integrated into any FPGA-based system, irrespective of the cryptographic algorithm or implementation. We propose a real-time dynamic closed-loop on-chip noise generation countermeasure which consists of an on-chip power monitor coupled with a low-overhead Gaussian noise generator. The noise generator is reconfigured continuously to update its generated noise amplitude and variance so that is sufficiently hides the computation power consumption. Our scheme and its integration onto an SoC is presented as well as our proposal for evaluating its effectiveness and overhead.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127858546","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Raphael Spreitzer, Simone Griesmayr, Thomas Korak, S. Mangard
The browsing behavior of a user allows to infer personal details, such as health status, political interests, sexual orientation, etc. In order to protect this sensitive information and to cope with possible privacy threats, defense mechanisms like SSH tunnels and anonymity networks (e.g., Tor) have been established. A known shortcoming of these defenses is that website fingerprinting attacks allow to infer a user's browsing behavior based on traffic analysis techniques. However, website fingerprinting typically assumes access to the client's network or to a router near the client, which restricts the applicability of these attacks. In this work, we show that this rather strong assumption is not required for website fingerprinting attacks. Our client-side attack overcomes several limitations and assumptions of network-based fingerprinting attacks, e.g., network conditions and traffic noise, disabled browser caches, expensive training phases, etc. Thereby, we eliminate assumptions used for academic purposes and present a practical attack that can be implemented easily and deployed on a large scale. Eventually, we show that an unprivileged application can infer the browsing behavior by exploiting the unprotected access to the Android data-usage statistics. More specifically, we are able to infer 97% of 2,500 page visits out of a set of 500 monitored pages correctly. Even if the traffic is routed through Tor by using the Orbot proxy in combination with the Orweb browser, we can infer 95% of 500 page visits out of a set of 100 monitored pages correctly. Thus, the READ_HISTORY_BOOKMARKS permission, which is supposed to protect the browsing behavior, does not provide protection.
{"title":"Exploiting Data-Usage Statistics for Website Fingerprinting Attacks on Android","authors":"Raphael Spreitzer, Simone Griesmayr, Thomas Korak, S. Mangard","doi":"10.1145/2939918.2939922","DOIUrl":"https://doi.org/10.1145/2939918.2939922","url":null,"abstract":"The browsing behavior of a user allows to infer personal details, such as health status, political interests, sexual orientation, etc. In order to protect this sensitive information and to cope with possible privacy threats, defense mechanisms like SSH tunnels and anonymity networks (e.g., Tor) have been established. A known shortcoming of these defenses is that website fingerprinting attacks allow to infer a user's browsing behavior based on traffic analysis techniques. However, website fingerprinting typically assumes access to the client's network or to a router near the client, which restricts the applicability of these attacks. In this work, we show that this rather strong assumption is not required for website fingerprinting attacks. Our client-side attack overcomes several limitations and assumptions of network-based fingerprinting attacks, e.g., network conditions and traffic noise, disabled browser caches, expensive training phases, etc. Thereby, we eliminate assumptions used for academic purposes and present a practical attack that can be implemented easily and deployed on a large scale. Eventually, we show that an unprivileged application can infer the browsing behavior by exploiting the unprotected access to the Android data-usage statistics. More specifically, we are able to infer 97% of 2,500 page visits out of a set of 500 monitored pages correctly. Even if the traffic is routed through Tor by using the Orbot proxy in combination with the Orweb browser, we can infer 95% of 500 page visits out of a set of 100 monitored pages correctly. Thus, the READ_HISTORY_BOOKMARKS permission, which is supposed to protect the browsing behavior, does not provide protection.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127443752","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Christian T. Zenger, J. Zimmer, M. Pietersz, B. Driessen, C. Paar
In this work, we constructively combine adaptive wormholes with channel-reciprocity based key establishment (CRKE), which has been proposed as a lightweight security solution for IoT devices and might be even more important for the 5G Tactile Internet and its embedded low-end devices. We present a new secret key generation protocol where two parties compute shared cryptographic keys under narrow-band multi-path fading models over a delayed digital channel. The proposed approach furthermore enables distance-bounding the key establishment process via the coherence time dependencies of the wireless channel. Our scheme is thoroughly evaluated both theoretically and practically. For the latter, we used a testbed based on the IEEE 802.15.4 standard and performed extensive experiments in a real-world manufacturing environment. Additionally, we demonstrate adaptive wormhole attacks (AWOAs) and their consequences on several physical-layer security schemes. Furthermore, we proposed a countermeasure that minimizes the risk of AWOAs.
{"title":"Constructive and Destructive Aspects of Adaptive Wormholes for the 5G Tactile Internet","authors":"Christian T. Zenger, J. Zimmer, M. Pietersz, B. Driessen, C. Paar","doi":"10.1145/2939918.2939923","DOIUrl":"https://doi.org/10.1145/2939918.2939923","url":null,"abstract":"In this work, we constructively combine adaptive wormholes with channel-reciprocity based key establishment (CRKE), which has been proposed as a lightweight security solution for IoT devices and might be even more important for the 5G Tactile Internet and its embedded low-end devices. We present a new secret key generation protocol where two parties compute shared cryptographic keys under narrow-band multi-path fading models over a delayed digital channel. The proposed approach furthermore enables distance-bounding the key establishment process via the coherence time dependencies of the wireless channel. Our scheme is thoroughly evaluated both theoretically and practically. For the latter, we used a testbed based on the IEEE 802.15.4 standard and performed extensive experiments in a real-world manufacturing environment. Additionally, we demonstrate adaptive wormhole attacks (AWOAs) and their consequences on several physical-layer security schemes. Furthermore, we proposed a countermeasure that minimizes the risk of AWOAs.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121587126","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Moreno Ambrosin, M. Conti, Ahmad Ibrahim, G. Neven, A. Sadeghi, M. Schunter
Large numbers of smart devices are permeating our environment to collect data and act on the insight derived. Examples of such devices include smart homes, factories, cars, or wearables. For privacy, security, and safety, ensuring correctness of the configuration of these devices is essential. One key mechanism to protect the software integrity of these devices is attestation. In this paper, we analyze the requirements for efficient attestation of large numbers of interconnected embedded systems. We present the first collective attestation protocol which allows attesting an unlimited number of devices. Simulation results show a run-time of 5.3 seconds in networks of 50,000 low-end embedded devices.
{"title":"POSTER: Toward a Secure and Scalable Attestation","authors":"Moreno Ambrosin, M. Conti, Ahmad Ibrahim, G. Neven, A. Sadeghi, M. Schunter","doi":"10.1145/2939918.2942425","DOIUrl":"https://doi.org/10.1145/2939918.2942425","url":null,"abstract":"Large numbers of smart devices are permeating our environment to collect data and act on the insight derived. Examples of such devices include smart homes, factories, cars, or wearables. For privacy, security, and safety, ensuring correctness of the configuration of these devices is essential. One key mechanism to protect the software integrity of these devices is attestation. In this paper, we analyze the requirements for efficient attestation of large numbers of interconnected embedded systems. We present the first collective attestation protocol which allows attesting an unlimited number of devices. Simulation results show a run-time of 5.3 seconds in networks of 50,000 low-end embedded devices.","PeriodicalId":387704,"journal":{"name":"Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2016-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134614929","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: